Rewriting CIP-002, Part II

This is the second in a series of four or five posts on the need to rewrite CIP-002-5.1. You can find the first post here.

II. The Primary Problem with CIP-002-5.1

CIP-002-5.1 R1 and Attachment 1 are confusing and contradictory. However, this hasn’t stopped NERC entities, Regional auditors and even NERC staff members from coming to a pretty good consensus on what it means. And this is a good thing – otherwise, the effort to implement CIP v5 would be at a standstill.

However, the fundamental problem with CIP-002-5.1 R1 is that this consensus is completely at variance with the words in the standard. It is literally true that an entity can’t comply with the standard – in the way that virtually all parties agree it should be done – without violating the wording. And if an entity were to try to follow the literal wording of the standard, they could never come into compliance – the wording is vague and contradictory, and omits many required steps. There is simply no way the compliance process could be flowcharted, even if the chart were the size of Yankee Stadium. This makes this standard completely unenforceable, and is the primary reason that I say it has to be rewritten before CIP v5 (and v6, and probably later versions) can be enforceable.

Here is the way most NERC entities I have talked to, as well as most auditors and others who have given presentations at Regional Entity meetings, understand the compliance process for CIP-002-5.1 R1.[i]

1. Using the list of six asset types in R1, identify all assets owned by the entity (or operated by them) that correspond to one of those types.
2. For each of these assets, identify those that are High or Medium impact.
3. At each of the High or Medium impact assets, identify BES Cyber Assets using the definition, then aggregate these into BES Cyber Systems (the process - or really processes - that gets you from BCA to BCS is of course not described in the standard, but there has been some guidance published on this, including by me. My guess is auditors aren't going to worry about that too much, as long as the entity can show that every BCA is included in one or more BCS).
4. Classify High and Medium impact BCS. Except in the case of large generating stations that fall under Criterion 2.1, all BCS located at a High asset will be High; all BCS located at a Medium asset will be Medium.
5. List assets not classified as High or Medium as Low impact (specifically, “containing a Low BCS”). 

This is a nice, simple methodology. It corresponds very closely to the CIP v1-v3 methodology, if you substitute Critical Asset for High or Medium impact asset and Critical Cyber Asset for BES Cyber Asset and BES Cyber System. In fact, I know some entities are even using the definition of Critical Cyber Asset (a Cyber Asset “essential to the operation of” a Critical Asset) as a guide to identifying BCAs. Given that there is little guidance on how to interpret the words at the core of the BCA definition - “affect the reliable operation of the BES” – this isn’t such a terrible way to do it.

However, there is one big problem with the above methodology: it doesn’t correspond at all with the greater part of the wording of CIP-002-5.1 R1 and Attachment 1.  What does the wording actually say? Aye, there’s the rub – it’s literally impossible to give a clear account of what R1 says, other than to say that it in no way corresponds with the popular methodology described above. There are three main problems with it.

First, the wording is far too compressed. CIP-002-3 had three requirements leading up to identification of CCAs; CIP-002-5.1 has one, yet it actually encompasses (explicitly or implicitly) many more steps than the three v3 requirements did (in fact, R1 implicitly contains all 15 of the steps listed below, plus many others as well). When you’re writing regulatory standards, brevity isn’t a virtue – clarity is. Save the brevity for when you’re writing haiku poetry.

Second, some key steps are left entirely implicit; it us up to the entity to figure them out, usually by having to go to a definition. For example, one of the most important steps in the v5 asset identification process – the identification of BES Cyber Systems at Medium and High assets - is nowhere to be found in R1 (the word “Identify” is used in R1.1-1.3, but those requirement parts are actually telling the entity to classify BCS, rather than to identify them in the first place). The entity has to piece together their own idea of how to identify BCS by looking at the definitions of Cyber Asset, BCA and BCS; this leads to what I call the “bottom-up” approach to BCS identification.

But there’s another approach to BCS identification, outlined in the Guidance and Technical Basis. This one is based on the BROS, and is what I call “top-down”. There is no acknowledgement in R1 that there even are two approaches; yet since the BROS aren’t in the requirement at all but the three definitions are, by implication this means “bottom-up” is really the “required” approach. If so, why are the BROS talked about at all in the Guidance? No word on that, although I’ll give my theory on this in the next post in this series.

But I believe both approaches have their uses. Bottom-up is better for substations and Criteria 2.3 or 2.6 generating stations; top-down is better for control centers and Criterion 2.1 generating stations. You can read more about these two approaches in this post.

The third problem with R1 and Attachment 1 is that, even if you have an idea what the steps are that need to be taken to comply with R1, the order in which they need to be taken is not apparent from reading the requirement. You just need to piece them together logically.

Fortunately, I have pieced these “implied” steps together as best I can. I’m now ready to show you the primary steps that I believe are required for compliance with R1.[ii] When I get done, see if you can even remember half of them, let alone repeat them in logical order (as you read the steps below, you’ll realize that many of them actually contain a number of sub-steps).

1. Develop a list of BES assets that meet one of the six asset types listed in R1.
2. Decide whether, for substations, your entity will classify BCS based on the “rating” of the substation or that of the Facility (the line, transformer, bus, etc.) with which the BCS is associated.[iii] An entity that takes the second option will be able to classify some BCS at “Medium” impact substations as Low impact, not Medium. As far as I can see, most entities are taking the former option, not the latter. In almost all cases, this is because the entity doesn’t understand that there are two ways to do this (since no Regional Entity I know of has been promoting the idea that entities have these two options). In the few cases I know of where the entity understands the options and has deliberately chosen the first one, it is because they think it will complicate the asset identification process too much to implement the second option.[iv] I disagree with this assertion in general, but I do agree that there are organizational reasons why the second option might not work for many NERC entities. In any case, the entities should be told they have both options, and this isn’t being done at all now. It’s too bad, since it can potentially save an entity a lot of time and money required to implement v5 compliance.
3. If the entity has decided to take the second option above, then it still needs to identify “Medium” substations (although a better description would be “substations containing one or more Medium impact Facilities”). At these substations, it then identifies the Medium Facilities, leaving other BES Facilities at the substation to be Low impact.[v]
4. If the entity has decided to base their R1 process on assets, not Facilities (i.e. the first option in step 2), they must use the asset list from step 1 to identify High and Medium impact assets by running through the bright-line criteria (since criteria 2.4-2.8 refer to Facilities, this means not paying attention to that word and substituting the word “Substation”. Similar tricks have to be played with some of the other criteria, including 2.3, 2.9 and 2.10. Are you writing all of this down?).
5. If the entity has decided to take advantage of the word “Facilities” in Criteria 2.4 to 2.8 (i.e. they’re using option 2 in the second step above), they need to identify the Facilities at each Transmission substation that meet one or more of these criteria. For example, a 500kV line will always become a Medium impact Facility under Criterion 2.4, and the substation it’s located at will be called a “Medium” substation; but a 345kV line located at the same substation will be Low impact.[vi]
6. Once all assets and/or Facilities that are High or Medium impact have been identified, then BES Cyber Systems must be identified. This identification step, which is nowhere stated in R1 or Attachment 1[vii], is probably the most important in the R1 process. Since no BCS identification process is stated in the requirement, the entity is left to piece together whatever procedure it can, based on the definitions of Cyber Asset, BES Cyber Asset and BES Cyber System (which I call the “bottom-up” procedure). However, a different process is described in the Guidance and Technical Basis section, where the concept of BES Reliability Operating Service is introduced and used as the basis for identifying BCS (I call this the “top-down” procedure). For a description of these two procedures and when I believe each one is applicable, see this post.
7. There is an important difference between High and Medium impact BCS that must be “overlaid” on the above procedures for identifying BCS. This is due to the fact that, in Attachment 1, High BCS are defined as those “used by and located at” High assets (which are all Control Centers, of course), while low BCS are defined as those “associated with” Medium assets or Facilities. This means that High BCS will always be located at the Control Center that meets the High criterion, whereas Medium BCS don’t necessarily have to be located at a Medium asset.  
8. Since BCS associated with Medium assets or Facilities don’t have to be located at the same asset, this in theory means they could be located anywhere. The one restriction is that the BCS must always be located at one of the six asset types in R1. So if an AGC system (that meets the definition of BCS/BCA – 15 minute impact, etc.) associated with a Medium generating station is located in another plant or in a Transmission substation, it will itself be a Medium BCS. If it’s located in somebody’s basement, it’s not a Medium BCS.
9. The interesting question is how the entity will identify associated BCS that aren’t located at the Medium asset. And the answer to that is they will simply have to know they’re there. However, this is not how R1 reads. Taken literally, R1 implies that the entity has to scour every asset it has that corresponds to one of the six types, to identify BCS. Of course, High BCS will always be at a High Control Center, so the entity only needs to look at those Control Centers to find High BCS. But Medium BCS don’t have to be at a Medium asset, so every High, Medium and Low asset needs to be gone over with a fine-toothed comb to identify any BCS that are associated with any one of the Medium assets or Facilities (not just the one they’re located at). Of course, this requires conducting an inventory of every cyber asset at all Low assets, determining which of these are Cyber Assets, then determining which Cyber Assets are BES Cyber Assets (and finally grouping these into BCS). Of course, none of the regions are interpreting R1 this way, so you don’t have to worry about having to actually do this[viii]. But it’s just another example of the wording of R1 not corresponding to how people are actually going to comply with it – and the result is that the only way to sensibly comply with R1 is to disregard most of its wording.
10. The next step in the R1 compliance process – as it is written or implied by the actual wording – is to classify the BCS that have just been identified, that are “used by and located at” High impact Control Centers and “associated with” Medium impact assets. This is pretty easy, of course, as long as you watch these words carefully. Every BCS located at a High Control Center will itself be High, unless it is associated with a Medium or Low impact asset or Facility and is not also used by the Control Center itself – in which case it will be Medium or Low. And every BCS associated with a Medium Facility and/or asset will be Medium, except for BCS in a Criterion 2.1 generating plant, which will be Low if they impact less than 1500MW (aren’t you having fun so far?).
11. The above step needs to be modified in the case that the entity is using the second option in step 2 and classifying BCS in substations according to the Facility they’re associated with. As described in step 5, some Facilities (lines, etc) will be Medium, some Low. The BCS (which will more often than not be relays) associated with Medium lines will be Mediums, and those associated with Low lines will be Lows.
12. The last major step in the CIP-002-5.1 R1 compliance process is to identify Low impact assets. Since every asset that corresponds to one of the six asset types in R1 will have to be High, Medium or Low impact, all you have to do is subtract the Highs and Mediums from this list in order to identify the Lows – right? Again, this is how just about all entities will do it, but once again this requires violating the wording of the requirement (and Attachment 1). R1.3 says the entity has to identify “each asset that contains a low impact BES Cyber System according to Attachment 1, Section 3...” So now you go to Attachment 1, Section 3, and what do you find? It says you’re supposed to identify “BES Cyber Systems not included in Sections 1 or 2 above that are associated with any of the following assets...”  What’s going on here? R1.3 says you’re supposed to be identifying assets that “contain Low BCS”, yet Section 3 says you’re supposed to be identifying Low BCS themselves – even though R1.3 says explicitly that no list of Low impact BCS is required! Fortunately, all entities assume that what R1.3 is really saying is what I just showed above: you just have to take High and Medium assets out of your total asset list, to come up with Low assets. But this is another glaring instance of the fact that the only way effectively to comply with R1 is to violate its literal wording.
13. In the “Thank God for small favors” department, there is one advantage to the fact that Low assets are referred to as “assets containing Low BCS”: If you can demonstrate that an asset on your initial Low list actually doesn’t contain any BCS, then it falls off the charts and you don’t have to apply even the Low impact requirements to it. For an asset that contains no cyber assets at all, this is very easy – it obviously can’t contain a Low BCS. For other assets that do contain cyber assets, if you want to take the time to show that none of these cyber assets meet the definition of BCA (i.e., no 15-minute impact on the grid if misused), then you should be able to remove these assets as Lows as well. I call these assets “No impact”.
14. In putting together your Low asset list, you also need to keep in mind that any Medium or High impact assets that contain Low BCS need to be on the Low list as well. One example of this is a Criterion 2.1 plant that has some BCS that don’t affect 1500MW; these will be Low BCS, so the plant is both Medium and Low impact. Another example is a Medium substation that contains a BCS that is part of an SPS that doesn’t rise to the level of being included in Criterion 2.9, so the SPS is Low impact. This substation will also be Medium and Low. A third example: For an entity that is classifying BCS in substations based on the Facility they’re associated with, substations that contain both Medium and Low Facilities and associated BCS (for example, a Criterion 2.4 substation that contains both a 500+kV line and a 345kV line) will themselves be Medium and Low impact.
15. Finally, if your entity has a Distribution Provider registration and owns one or more of the asset types listed in Section 4.2.1, these must be listed as Lows.

As complicated as the above list is, it in no way encompasses all of the steps required to comply with CIP-002-5.1 R1. For example, every entity needs to develop a “definition” for “Programmable”, as well as for the words “affect the BES” in the BCA definition. Every entity with substations that contain Transmission and Distribution Facilities needs to develop a methodology for distinguishing the two, as well as their associated cyber assets. Etc, etc. And then there are a huge number of questions on application of specific bright-line criteria; in fact, I don’t think you could ever write them all down, no matter how long you spent at it.

As I said in footnote ii below, I gave up a while ago on trying to write down a complete list of steps for complying with CIP-002-5.1 R1. It simply can’t be done, given the current wording of the standard. This is why literally nobody is actually following the words of R1 and Attachment 1 in their compliance process. It is simply impossible to do so.

Now compare the above 15+ steps to the five steps shown earlier in the post – that is, the list of steps that entities are actually following as they comply with CIP v5. Is there any wonder that entities are following this methodology, even though it doesn’t at all follow the actual wording of the requirement? There is simply no way an entity could comply with the actual wording of CIP-002-5.1, no matter how many years they spent trying to understand it.

In the next post, I will discuss how I believe this mess came to pass.

The views and opinions expressed here are my own and don’t necessarily represent the views or opinions of Deloitte Advisory.

---

[i] Even NERC follows this model. NERC hasn’t itself put out any guidance on the R1 compliance process. However, their February filing with FERC on the results of the BES Cyber Asset Survey, which was based on an implicit idea of R1 compliance, basically follows this model.

[ii] I originally thought it would be possible to put together a list of all the steps – actual and implied – required for R1 compliance. My last two major attempts at this were both in 2014: here and here. I now realize there can be no definitive methodology, period. You could spend the rest of your life trying to document the compliance process for R1, and you’d die before you finished.

[iii] For those who may be new readers of these posts, I have been pointing out for quite a while that the substation criteria, 2.4 to 2.8, don’t actually apply to substations at all, but to the Facilities at those substations.  Facilities is a NERC-defined term and means a line, a bus, a transformer, etc. This means that some of the BCS in a substation subject to one of these criteria might be Low impact, not Medium. I’ve discussed this in a number of posts, but this post was dedicated to the issue.

[iv] Another reason is that many entities aren’t sure about what is networked to what in their substations. So even though they might be able to classify some BCS as Low, they’re concerned that it wouldn’t make a difference since they couldn’t show the Low BCS weren’t networked to the Medium BCS (which would make the Low BCS into Medium PCAs, thus subjecting them to most of the requirements of Medium BCS). I can’t argue with this idea, since they know their substations; I don’t.

[v] Of course, any purely Distribution facilities – that is, lines and other facilities that don’t meet the BES definition in the first place – will not be in scope for v5, regardless of which option the entity chooses. However, in substations that mix Transmission and Distribution facilities (e.g., a substation containing 69kV as well as 115kV lines), the people doing the inventory need clear guidance on how to separate the two types; writing this down isn’t as easy as it might seem. See this post for further discussion of this point.

[vi] Criterion 2.5 is confusing because – even though its subject is the word “Facilities” – it does actually appear to be providing a criterion for classifying the substation itself; this is the famous 3,000-point table. However, what 2.5 actually does is a) Provide a criterion for Facilities to be Medium impact (those Facilities “operating between 200 kV and 499 kV at a single station or substation”), but then b) classify those Facilities as Medium only in the case that the substation itself has three connections and meets the 3,000-point threshold. Of course, if step b weren’t there, then every line, transformer, etc. between 200 and 499kV would be Medium impact – no matter where it was located; the SDT clearly didn’t want this to happen.

[vii] R1.1 – R1.3 use the term “Identify” in sending the user to Attachment 1, but this really needs to be understood as “Classify”, since the purpose at this point is to determine which BCS are Medium or High impact. It is assumed the entity has already identified BCS at High and Medium assets, even though that step isn’t called for anywhere in R1 or Attachment 1. This is a good example where an excessive concern with brevity has made R1 impossible to comply with as written.

[viii] The “far-end relay” question is of course related to this. Many people became quite upset when they came to believe that such a relay, on a 200-499kV line that terminated in a Criterion 2.5 substation, would itself be Medium impact, even if it were at a Low substation. However, NERC’s Lesson Learned on this issue last September – which echoed what an Interested Party had pointed out to me the previous June, as shown in this post – pointed out that the particular wording of Criterion 2.5 (which wording is also in 2.6) specifically prevents this from happening. Unfortunately, this hasn’t prevented a number of people – including one or more NERC staff members very involved in the CIP v5 effort – from mistakenly saying that there is now a new principle that “Location does matter” – and this means that Medium BCS have to be located at the asset they’re associated with, just as Highs do. That is definitely not the case (although I wouldn’t object if NERC wanted to put out a further LL saying this was actually a new principle and therefore legitimate – I’ve heard it has been promulgated in one or more of the SGAS).